2005-08-03 17:56:26 +00:00
|
|
|
## <summary>Policy for MySQL</summary>
|
|
|
|
|
|
2010-03-11 18:19:55 +00:00
|
|
|
######################################
|
|
|
|
|
## <summary>
|
2010-03-12 13:55:34 +00:00
|
|
|
## Execute MySQL in the mysql domain.
|
2010-03-11 18:19:55 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2010-03-12 13:55:34 +00:00
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain allowed to transition.
|
2010-03-12 13:55:34 +00:00
|
|
|
## </summary>
|
2010-03-11 18:19:55 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_domtrans',`
|
2010-03-12 13:55:34 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_t, mysqld_exec_t;
|
|
|
|
|
')
|
2010-03-11 18:19:55 +00:00
|
|
|
|
2010-03-12 13:55:34 +00:00
|
|
|
domtrans_pattern($1, mysqld_exec_t, mysqld_t)
|
2010-03-11 18:19:55 +00:00
|
|
|
')
|
|
|
|
|
|
2005-08-03 17:56:26 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Send a generic signal to MySQL.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_signal',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
allow $1 mysqld_t:process signal;
|
|
|
|
|
')
|
|
|
|
|
|
2008-07-25 04:07:09 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Allow the specified domain to connect to postgresql with a tcp socket.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_tcp_connect',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
corenet_tcp_recvfrom_labeled($1, mysqld_t)
|
|
|
|
|
corenet_tcp_sendrecv_mysqld_port($1)
|
|
|
|
|
corenet_tcp_connect_mysqld_port($1)
|
|
|
|
|
corenet_sendrecv_mysqld_client_packets($1)
|
|
|
|
|
')
|
|
|
|
|
|
2005-08-03 17:56:26 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Connect to MySQL using a unix domain stream socket.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-08-03 17:56:26 +00:00
|
|
|
#
|
|
|
|
|
interface(`mysql_stream_connect',`
|
|
|
|
|
gen_require(`
|
2008-11-18 19:55:10 +00:00
|
|
|
type mysqld_t, mysqld_var_run_t, mysqld_db_t;
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
2010-09-15 10:50:18 +00:00
|
|
|
files_search_pids($1)
|
2008-07-23 21:38:39 +00:00
|
|
|
stream_connect_pattern($1, mysqld_var_run_t, mysqld_var_run_t, mysqld_t)
|
2008-11-18 19:55:10 +00:00
|
|
|
stream_connect_pattern($1, mysqld_db_t, mysqld_var_run_t, mysqld_t)
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read MySQL configuration files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
2006-09-06 22:07:25 +00:00
|
|
|
## <rolecap/>
|
2005-08-03 17:56:26 +00:00
|
|
|
#
|
|
|
|
|
interface(`mysql_read_config',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_etc_t;
|
|
|
|
|
')
|
|
|
|
|
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 mysqld_etc_t:dir list_dir_perms;
|
|
|
|
|
allow $1 mysqld_etc_t:file read_file_perms;
|
|
|
|
|
allow $1 mysqld_etc_t:lnk_file read_lnk_file_perms;
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Search the directories that contain MySQL
|
|
|
|
|
## database storage.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
# cjp: "_dir" in the name is added to clarify that this
|
|
|
|
|
# is not searching the database itself.
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`mysql_search_db',`
|
2005-08-03 17:56:26 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 mysqld_db_t:dir search_dir_perms;
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read and write to the MySQL database directory.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`mysql_rw_db_dirs',`
|
2005-08-03 17:56:26 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
allow $1 mysqld_db_t:dir rw_dir_perms;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Create, read, write, and delete MySQL database directories.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`mysql_manage_db_dirs',`
|
2005-08-03 17:56:26 +00:00
|
|
|
gen_require(`
|
2005-10-19 16:44:24 +00:00
|
|
|
type mysqld_db_t;
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
2006-12-12 20:08:08 +00:00
|
|
|
allow $1 mysqld_db_t:dir manage_dir_perms;
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
|
|
|
|
|
2009-05-06 14:26:20 +00:00
|
|
|
#######################################
|
|
|
|
|
## <summary>
|
2009-06-26 14:40:13 +00:00
|
|
|
## Append to the MySQL database directory.
|
2009-05-06 14:26:20 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2009-06-26 14:40:13 +00:00
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
2009-05-06 14:26:20 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_append_db_files',`
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
2009-05-06 14:26:20 +00:00
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
|
|
|
|
append_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
## <summary>
|
2009-06-26 14:40:13 +00:00
|
|
|
## Read and write to the MySQL database directory.
|
2009-05-06 14:26:20 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2009-06-26 14:40:13 +00:00
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
2009-05-06 14:26:20 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_rw_db_files',`
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
2009-05-06 14:26:20 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
files_search_var_lib($1)
|
2009-05-06 14:26:20 +00:00
|
|
|
rw_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
#######################################
|
|
|
|
|
## <summary>
|
2009-06-26 14:40:13 +00:00
|
|
|
## Create, read, write, and delete MySQL database files.
|
2009-05-06 14:26:20 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2009-06-26 14:40:13 +00:00
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
2009-05-06 14:26:20 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_manage_db_files',`
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
2009-05-06 14:26:20 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
files_search_var_lib($1)
|
|
|
|
|
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
|
2009-05-06 14:26:20 +00:00
|
|
|
')
|
|
|
|
|
|
2005-10-12 17:32:41 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read and write to the MySQL database
|
|
|
|
|
## named socket.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-10-12 17:32:41 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-10-12 17:32:41 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
2006-02-02 21:08:12 +00:00
|
|
|
interface(`mysql_rw_db_sockets',`
|
2005-10-12 17:32:41 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_db_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
files_search_var_lib($1)
|
2008-10-20 16:10:42 +00:00
|
|
|
allow $1 mysqld_db_t:dir search_dir_perms;
|
2008-10-16 16:09:20 +00:00
|
|
|
allow $1 mysqld_db_t:sock_file rw_sock_file_perms;
|
2005-10-12 17:32:41 +00:00
|
|
|
')
|
|
|
|
|
|
2005-08-03 17:56:26 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Write to the MySQL log.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2006-02-10 18:41:53 +00:00
|
|
|
## <summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## Domain allowed access.
|
2006-02-10 18:41:53 +00:00
|
|
|
## </summary>
|
2005-08-03 17:56:26 +00:00
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_write_log',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_log_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
logging_search_logs($1)
|
2010-09-20 09:59:03 +00:00
|
|
|
allow $1 mysqld_log_t:file { write_file_perms setattr_file_perms };
|
2005-08-03 17:56:26 +00:00
|
|
|
')
|
2008-11-18 19:55:10 +00:00
|
|
|
|
2010-03-12 13:59:23 +00:00
|
|
|
######################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Execute MySQL server in the mysql domain.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
2010-08-05 13:03:19 +00:00
|
|
|
## Domain allowed to transition.
|
2010-03-12 13:59:23 +00:00
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_domtrans_mysql_safe',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_safe_t, mysqld_safe_exec_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
domtrans_pattern($1, mysqld_safe_exec_t, mysqld_safe_t)
|
|
|
|
|
')
|
|
|
|
|
|
2010-02-23 05:07:42 +00:00
|
|
|
#####################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## Read MySQL PID files.
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_read_pid_files',`
|
|
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_var_run_t;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
mysql_search_pid_files($1)
|
|
|
|
|
read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
|
|
|
|
')
|
|
|
|
|
|
2009-05-06 14:26:20 +00:00
|
|
|
#####################################
|
|
|
|
|
## <summary>
|
2009-06-26 14:40:13 +00:00
|
|
|
## Search MySQL PID files.
|
2009-05-06 14:26:20 +00:00
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
2009-06-26 14:40:13 +00:00
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
2009-05-06 14:26:20 +00:00
|
|
|
## </param>
|
|
|
|
|
##
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_search_pid_files',`
|
2009-06-26 14:40:13 +00:00
|
|
|
gen_require(`
|
|
|
|
|
type mysqld_var_run_t;
|
|
|
|
|
')
|
2009-05-06 14:26:20 +00:00
|
|
|
|
2009-06-26 14:40:13 +00:00
|
|
|
search_dirs_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
2009-05-06 14:26:20 +00:00
|
|
|
')
|
|
|
|
|
|
2008-11-18 19:55:10 +00:00
|
|
|
########################################
|
|
|
|
|
## <summary>
|
|
|
|
|
## All of the rules required to administrate an mysql environment
|
|
|
|
|
## </summary>
|
|
|
|
|
## <param name="domain">
|
|
|
|
|
## <summary>
|
|
|
|
|
## Domain allowed access.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
## <param name="role">
|
|
|
|
|
## <summary>
|
|
|
|
|
## The role to be allowed to manage the mysql domain.
|
|
|
|
|
## </summary>
|
|
|
|
|
## </param>
|
|
|
|
|
## <rolecap/>
|
|
|
|
|
#
|
|
|
|
|
interface(`mysql_admin',`
|
|
|
|
|
gen_require(`
|
2010-09-20 10:09:09 +00:00
|
|
|
type mysqld_t, mysqld_var_run_t, mysqld_initrc_exec_t;
|
|
|
|
|
type mysqld_tmp_t, mysqld_db_t, mysqld_log_t;
|
|
|
|
|
type mysqld_etc_t;
|
2008-11-18 19:55:10 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
allow $1 mysqld_t:process { ptrace signal_perms };
|
|
|
|
|
ps_process_pattern($1, mysqld_t)
|
|
|
|
|
|
|
|
|
|
init_labeled_script_domtrans($1, mysqld_initrc_exec_t)
|
|
|
|
|
domain_system_change_exemption($1)
|
|
|
|
|
role_transition $2 mysqld_initrc_exec_t system_r;
|
|
|
|
|
allow $2 system_r;
|
|
|
|
|
|
2010-09-20 09:59:51 +00:00
|
|
|
files_list_pids($1)
|
2008-11-18 19:55:10 +00:00
|
|
|
admin_pattern($1, mysqld_var_run_t)
|
|
|
|
|
|
|
|
|
|
admin_pattern($1, mysqld_db_t)
|
|
|
|
|
|
2010-09-20 09:59:51 +00:00
|
|
|
files_list_etc($1)
|
2008-11-18 19:55:10 +00:00
|
|
|
admin_pattern($1, mysqld_etc_t)
|
|
|
|
|
|
2010-09-20 09:59:51 +00:00
|
|
|
logging_list_logs($1)
|
2008-11-18 19:55:10 +00:00
|
|
|
admin_pattern($1, mysqld_log_t)
|
|
|
|
|
|
2010-09-20 09:59:51 +00:00
|
|
|
files_list_tmp($1)
|
2008-11-18 19:55:10 +00:00
|
|
|
admin_pattern($1, mysqld_tmp_t)
|
|
|
|
|
')
|
